N.J., health care cyber groups strike information sharing deal
A pair of cybersecurity information sharing organizations are partnering to strengthen the security of New Jersey’s hospitals.
The National Healthcare Information Sharing and Analysis Center, known as NH-ISAC, is teaming up with the New Jersey Cybersecurity and Communications Integration Cell, a state fusion center aimed at encouraging cooperation on cyber issues among all levels of government and the private sector. Under the new agreement, announced late last month, the two centers will begin sharing data on possible threats their systems detect, as well as analyses on the significance of that data.
Since Gov. Chris Christie created the state fusion center with an executive order last May, state Cybersecurity Director Dave Weinstein told StateScoop he’s tried to be “pretty selective” about the organizations he partners with. But he said the “host of multinational health care companies” headquartered in New Jersey and the state’s “plethora of health care providers” underscore the need to more carefully monitor the sector.
“It gives us a lot more insights that we previously didn’t have access to,” Weinstein said of the new agreement. “Our main data source for cyber intelligence is public sector networks, and the threats that are facing state and county governments are, in most cases, completely different than the threats impacting the health sector.”
Weinstein helped engineer a similar information sharing arrangement with the Financial Services Information Sharing and Analysis Center, known as FS-ISAC, in July to gain more insight into the threats confronting the banking sector. It was during those negotiations that he met Denise Anderson — then, the vice president of the FS-ISAC. When she headed over to the NH-ISAC to become its president, she found it easy to strike an arrangement with Weinstein and his team.
“I actually see it being even more relevant to health care, because in the health care sector, there’s a lot of players in New Jersey,” Anderson said. “Being able to collaborate with them on that level, things they may be seeing from a state perspective and being able to share what we have from an owner-operator perspective, I think is very valuable.”
Anderson noted that the state’s ability to share threat data on an automated basis made them an especially attractive partner. Weinstein said that as his group takes in information on cyberthreats from the state and local levels, it’s automatically passed to the NH-ISAC’s servers via a “peer-to-peer” connection — and vice versa.
“They’re bringing information from all of their members, not only from across the United States but across the world,” Weinstein said. “We’re trying to get as close to zero-day intelligence as possible, and our only shot at doing that is through automation.”
[Read more: Study: N.J. localities poorly equipped to manage IT risk]
Once the state has that data, Weinstein said his team can apply their “analytical tradecraft and horsepower” to provide context to the raw information. He stressed that type of analysis is especially valuable for the smaller health care providers in the NH-ISAC’s network, since they might not have the same caliber of resources as larger hospitals or major pharmaceutical companies.
“We apply a layer of analytical tradecraft to distill the ones and zeros and translate them into nouns, adjectives and verbs that smaller companies can digest, and we share that as quickly as possible with their members across the state,” Weinstein said.
Anderson added that all of her network’s members have work to do when it comes to ramping up security, regardless of size, so New Jersey’s findings will likely prove valuable.
“In finance, it’s been a target for a very long time, their infrastructure was based on cyber very quickly,” Anderson said. “In health care, that wasn’t necessarily the case … so they’re finding themselves where they have to do a cultural shift.”
Data collected and shared by health care providers has become even more valuable to hackers than financial information, since “you can’t change your birthdate the way you can your credit card data,” she said. And as medical devices have become increasingly connected to the Internet, Anderson said there are more systems than ever that need to be secured, making the partnership with the state a critical one.
Weinstein hopes that the new relationship will also encourage the members of the NH-ISAC to start sharing data with the state on an individual basis to form a “network within a network” and keep New Jersey ahead of the pack when it comes to cybersecurity.
“We’re a little bit ahead of the curve, particularly relative to other states in the information sharing space, and we recognize that we can’t do it alone,” Weinstein said. “These threats reside outside of our technical reach, so we need to partner with other organizations.”
Contact the reporter at firstname.lastname@example.org, and follow him on Twitter @AlexKomaSNG.